This is the story of how the UK banking system could have collapsed
in the early 1990s, but for the forbearance of a junior barrister who
also happened to be an expert in computer law – and who discovered that
at that time the computing department of one of the banks issuing ATM
cards had “gone rogue”, cracking PINs and taking money from customers’
accounts with abandon.
—
How ATM fraud nearly brought down British banking
Phantoms and rogue banks,
By Charles Arthur,
The Register,
Published Friday 21st October 2005 09:52 GMT

This problem had been going on since the 1980s, and there has been
a class action lawsuit in process since 1992 trying to force the affected
banks to replace the money stolen from their customers.
Why have we only heard about it now?

The story clarifies this:

The reason you’re hearing it now is that, with Chip and PIN cards finally
in widespread use in the UK, the risk of the ATM network being abused
as it was has fallen away.

Hm, that’s good for the U.K.
Maybe not so good for the U.S., where such cards are not in widespread use.
Maybe four digit PINs that are easy to steal or guess weren’t such a good
idea after all.
Maybe it’s time for something to change in the U.S.

Well-known security researcher Ross Anderson is cited in the story
as agreeing that the current U.K. chip and PIN system does away with
the loophole the rogue bank was using.
However, Prof. Anderson had already published
a white paper in which he and others spell out why chip and PIN
is not a panacea.
The paper notes that this new scheme was first introduced,
fraud actually increased.

There are technical problems with chip and PIN,
but the primary difficulty is economic and legal:
banks have succeeded in shifting liability off of themselves,
even though they implement the security systems involved,
to their customers.

It is well-known to students of security economics that when one party
is responsible for protecting a system, while another party suffers when
it fails, then security failure can be expected.
—
Chip and Spin,
Ross Anderson, Mike Bond, and Steven J. Murdoch
Computer Laboratory, University of Cambridge

Nothing’s perfect, but something like chip and PIN might be a good idea
in the U.S.; it would make phishing harder, at least.